summaryrefslogtreecommitdiff
path: root/source3/include/client.h
AgeCommit message (Collapse)AuthorFilesLines
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-2/+2
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-07-16Refactor signing code to remove most dependencies on 'struct cli'.Jeremy Allison1-12/+0
Ensure a server can't do a downgrade attack if client signing is mandatory. Add a lp_server_signing() function and a 'server signing' parameter that will act as the client one does. Jeremy (This used to be commit 203e4bf0bfb66fd9239e9a0656438a71280113cb)
2003-07-15Added the "required" keyword to the "client signing" parameter to force itJeremy Allison1-1/+1
on. Fail if missmatch. Small format tidyups in smbd/sesssetup.c. Preparing to add signing on server side. Jeremy. (This used to be commit c390b3e4cd68cfc233ddf14d139e25d40f050f27)
2003-07-14Jeremy requested that I get my NTLMSSP patch into CVS. He didn't requestAndrew Bartlett1-5/+10
the schannel code, but I've included that anyway. :-) This patch revives the client-side NTLMSSP support for RPC named pipes in Samba, and cleans up the client and server schannel code. The use of the new code is enabled by the 'sign', 'seal' and 'schannel' commands in rpcclient. The aim was to prove that our separate NTLMSSP client library actually implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation, in the hope that knowing this will assist us in correctly implementing NTLMSSP signing for SMB packets. (Still not yet functional) This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with calls to libsmb/ntlmssp.c. In the process, we have gained the ability to use the more secure NT password, and the ability to sign-only, instead of having to seal the pipe connection. (Previously we were limited to sealing, and could only use the LM-password derived key). Our new client-side NTLMSSP code also needed alteration to cope with our comparatively simple server-side implementation. A future step is to replace it with calls to the same NTLMSSP library. Also included in this patch is the schannel 'sign only' patch I submitted to the team earlier. While not enabled (and not functional, at this stage) the work in this patch makes the code paths *much* easier to follow. I have also included similar hooks in rpccleint to allow the use of schannel on *any* pipe. rpcclient now defaults to not using schannel (or any other extra per-pipe authenticiation) for any connection. The 'schannel' command enables schannel for all pipes until disabled. This code is also much more secure than the previous code, as changes to our cli_pipe routines ensure that the authentication footer cannot be removed by an attacker, and more error states are correctly handled. (The same needs to be done to our server) Andrew Bartlett (This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-04-09This is the netlogon schannel client code. Try aVolker Lendecke1-0/+6
rpcclient -S pdc -U% -c "samlogon user password" and it should work with the schannel. Needs testing against platforms different from NT4SP6. Volker (This used to be commit eaef0d8aeff1aa5a067679be3f17e08d7434e1e8)
2003-03-18Merge from HEAD:Andrew Bartlett1-6/+7
A much better SMB signing module, that allows for mulitple signing algorithms and correctly backs down from signing when the server cannot sign the reply. This also attempts to enable SMB signing on NTLMSSP connections, but I don't know what NTLMSSP flags to set yet. This would allow 'client use signing' to be set by default, for server compatability. (A seperate option value should be provided for mandetory signing, which would not back down). Andrew Bartlett (This used to be commit 1c87be7a3d127201a6ab78d22d17c971af16b86b)
2003-03-17Merge from HEAD:Andrew Bartlett1-2/+2
signed/unsigned (mostly i counters) a little bit of const. Andrew Bartlett (This used to be commit 50f0ca752e5058c4051f42a9337361373ba1f727)
2003-03-13Change size parameters from signed to unsigned to fix up warnings.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 33b11d5eb53bdeb9d279d221fd5c01579253e1c7)
2003-02-24Merge from HEAD client-side authentication changes:Andrew Bartlett1-1/+6
- new kerberos code, allowing the account to change it's own password without special SD settings required - NTLMSSP client code, now seperated from cliconnect.c - NTLMv2 client code - SMB signing fixes Andrew Bartlett (This used to be commit 837680ca517982f2e5944730581a83012d4181ae)
2002-12-10Fix client reporting of 64 bit files.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 8dcbfa4e770d74d4ce6faaf1a0597d07d0a5cc81)
2002-10-01Cope with rw errors and timeout to peer.Jeremy Allison1-1/+1
Jeremy. (This used to be commit d8d351eb01ea7c84828dbc96224d7b13d643b558)
2002-10-01Added error string for server timeout on client call.Jeremy Allison1-0/+1
Jeremy. (This used to be commit 28d2eb934318818a3b0527e391987ea139dbf4a3)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-0/+1
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-07-15updated the 3.0 branch from the head branch - ready for alpha18Andrew Tridgell1-1/+15
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-02-16Removed some random crap that isn't used anymore.Tim Potter1-1/+0
(This used to be commit 3fb3bc0a1546dadb24231065b422349bd199e1bf)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-02struct cli_state remembers the pipe name that it's talking to, if any,Martin Pool1-0/+3
so that we can print it in later debug messages. (This used to be commit 37ae84f782e1de6fcea92acb2189683cdf8e7e92)
2001-11-27prevent a memory leak of cli structuresAndrew Tridgell1-0/+4
(This used to be commit 911c57403bd116405876e73913ad73efd15f659b)
2001-11-25oops, I forgot to include the header fileAndrew Bartlett1-0/+2
(This used to be commit c28956d8601c103c3f8dab4253de80e6a00a02d7)
2001-10-22a quick fix to get rpcclient working again. This just disablesAndrew Tridgell1-0/+1
NTLMSSP in cli_establish_connection() What we really need to do is kill off the pwd_cache code. It is horrible, and assumes the challenge comes in the negprot reply. (This used to be commit 3f919b4360b3bfcc133f7d88bc5177e9d93f2db2)
2001-10-12added NTLMSSP authentication to libsmb. It seems to work well so I have ↵Andrew Tridgell1-1/+1
enabled it by default if the server supports it. Let me know if this breaks anything. Choose kerberos with the -k flag to smbclient, otherwise it will use SPNEGO/NTLMSSP/NTLM (This used to be commit 076aa97bee54d182288d9e93ae160ae22a5f7757)
2001-10-11initial kerberos/ADS/SPNEGO support in libsmb and smbclient. ToAndrew Tridgell1-1/+2
activate you need to: - install krb5 libraries - run configure - build smbclient - run kinit to get a TGT - run smbclient with the -k option to choose kerberos auth (This used to be commit d33057585644e1337bac743e25ed7653bfb39eef)
2001-09-25added a little smbtorture test for dumping the unicode table of aAndrew Tridgell1-1/+1
server. This is just a framework right now - I want this to eventually replace the win32 test code from monyo The interesting this about this test is that it shows up a really horrible performance bug in our stat cache code. I'll see if I can fix it. (This used to be commit eb668b54af4925194c07b217724657f406ec00d0)
2001-08-10Removed nt_error field from cli_state as it was not used anywhere.Tim Potter1-1/+0
(This used to be commit 589aaa5fb1ac55d8b0d5ae95921f071eb6ddacf6)
2001-06-18added a oplock break handler hook to the client code, this allows for more ↵Andrew Tridgell1-0/+3
complete testing of oplocks from smbtorture and would also be essential if a client app ever really did want to use oplocks properly (This used to be commit 3d4a3bfacd9ef225aeaab801e5a216d12814b60a)
2001-03-10to use the same macros in the client and server rename the CLISTR_Andrew Tridgell1-7/+0
macros to STR_ (This used to be commit 95c9e4e0ba8f37f565aaf136f41eb76489441ff7)
2001-02-26made some LANMAN1 wildcard progressAndrew Tridgell1-0/+1
it now handles -M LANMAN1 -f '.x' -m '?x' nicely (This used to be commit e7ccb9be6da9b1426eb136b4a0a1171232471768)
2001-02-21added support for a CLISTR_ASCII flag so we can use a uniformAndrew Tridgell1-0/+1
interface for ascii-only fields (This used to be commit cdf0316610803e6743936b29f232b32f9ec81422)
2001-02-20initial client side unicode support (needed for netapp filer)Andrew Tridgell1-0/+6
I've currently got this code disabled by default as it is incomplete. You enable it by setting a USE_UNICODE environment variable. Once the support is complete this check will be removed and the CAP_UNICODE capability bit will be the sole determination of whether the client library code uses unicode right now I have converted session_setup and tconx. I will do more fns over the next few days. see clistr.c for the new client side string interface. Luckily it tends to make the code smaller and neater while adding unicode support. (This used to be commit e1a04e621f1c28d8e6e543d43741ca0272e2237f)
2000-11-16Ok - fixed a bug in our levelII oplock code. We need to break a level II onJeremy Allison1-0/+1
a byte range lock (write lock only, but Win2k breaks on read lock also so I do the same) - if you think about why, this is obvious. Also fixed our client code to do level II oplocks, if requested, and fixed the code where we would assume the client wanted level II if it advertised itself as being level II capable - it may not want that. Jeremy. (This used to be commit 213cd0b5192307cd4b0026cae94b2f52fb1b0c02)
2000-07-27Ok - this is a *BIG* change - but it fixes the problems with static stringsJeremy Allison1-0/+2
in the RPC code. This change was prompted by trying to save a long (>256) character comment in the printer properties page. The new system associates a TALLOC_CTX with the pipe struct, and frees the pool on return of a complete PDU. A global TALLOC_CTX is used for the odd buffer allocated in the BUFFERxx code, and is freed in the main loop. This code works with insure, and seems to be free of memory leaks and crashes (so far) but there are probably the occasional problem with code that uses UNISTRxx structs on the stack and expects them to contain storage without doing a init_unistrXX(). This means that rpcclient will probably be horribly broken. A TALLOC_CTX also needed associating with the struct cli_state also, to make the prs_xx code there work. The main interface change is the addition of a TALLOC_CTX to the prs_init calls - used for dynamic allocation in the prs_XXX calls. Now this is in place it should make dynamic allocation of all RPC memory on unmarshall *much* easier to fix. Jeremy. (This used to be commit 0ff2ce543ee54f7364e6d839db6d06e7ef1edcf4)
2000-07-03first pass at merging rpcclient from TNG to HEAD. You can get aGerald Carter1-0/+2
semi-connection and a rpcclient prompt, but no functionality there yet. Will be a few more days on that. The changes to the header files were minor. A few struct's and a few additional fields to existing ones. No deletions. **minimal change necessary** :-) Well, maybe not minimal, but I tried. All other programs compile, link and run ok from what I can tell so I don;t think I broke anything. --jerry (This used to be commit cd7f0b0b91afd3331c0607ba2fcb3ccdd41ecebf)
2000-04-30YIPEE!!!!!Andrew Tridgell1-0/+1
We finally have a perfect emulation of Microsoft wildcard matching. The routine ms_fnmatch() does wildcard matching with all MS wildcards (including the unicode wildcards), and masktest against a NT4 workstation with hundreds of thousands of random exmaples has not found a single error. amazingly it is only about 60 lines of code, but it has taken us years to get it right. I didn't sleep much last night :) (This used to be commit cc9e007cdfdd300189f89e2a55e4234e47fa842d)
2000-01-03simple mods to add msrpc pipe redirection. default behaviour: fall backLuke Leighton1-15/+0
to using internal msrpc code in smbd. (This used to be commit 8976e26d46cb991710bc77463f7f928ac00dd4d8)
1999-12-13first pass at updating head branch to be to be the same as the SAMBA_2_0 branchAndrew Tridgell1-16/+27
(This used to be commit 453a822a76780063dff23526c35408866d0c0154)
1999-12-08ABOUT TIME!!!!!!!!Luke Leighton1-33/+3
damn, this one is bad. started, at least two days ago, to add an authentication mechanism to the smbd<->msrpc redirector/relay, such that sufficient unix / nt information could be transferred across the unix socket to do a become_user() on the other side of the socket. it is necessary that the msrpc daemon inherit the same unix and nt credentials as the smbd process from which it was spawned, until such time as the msrpc daemon receives an authentication request of its own, whereupon the msrpc daemon is responsible for authenticating the new credentials and doing yet another become_user() etc sequence. (This used to be commit 30c7fdd6ef10ecd35594311c1b250b95ff895489)
1999-12-03starting "connection reuse" system in smb-agent. added version numberLuke Leighton1-0/+1
which isn't actually used right now :-) (This used to be commit d54a64ae3ab7cdc1ac67fb49f7255e6a106d624e)
1999-12-03cool! a unix socket smb redirector. code based on smbfilter andLuke Leighton1-0/+1
ideas from ssh-agent. the intent is to be able to share smb sessions using cli_net_use_add() across multiple processes, where one process knows the target server name, user name and domain, but not the smb password. (This used to be commit 294b653f2e9cdc1864ec638ae8b4300df25723cf)
1999-11-29first attempt at getting \PIPE\NETLOGON working. it's pretty horrible.Luke Leighton1-3/+0
(This used to be commit 44dd3efa6380544e9a515e91960f9271498cefaf)
1999-11-27further abstraction involving client states. main client-side codeLuke Leighton1-0/+2
is pretty much independent of SMB client states, which will make it easier to add other transports. (This used to be commit a1ff7e8fc3129ba4a04722f977bc2d3725d13624)
1999-11-24ok. *whew*. this is the first completed part of the restructure.Luke Leighton1-6/+14
verified that lsaquery, lsalookupsids work, and found some bugs in the parameters of these commands :-) soo... we now have an lsa_* api that has the same arguments as the nt Lsa* api! cool! the only significant coding difference is the introduction of a user_credentials structure, containing user, domain, pass and ntlmssp flags. (This used to be commit 57bff6fe82d777e599d535f076efb2328ba1188b)
1999-11-21you know what? this sort of thing makes me laugh. hmm, what functionsLuke Leighton1-0/+2
have we got. and what data do we have. hmm.. i wonder what the NTLMv2 user session key can be... hmmm... weell.... there's some hidden data here, generated from the user password that doesn't go over-the-wire, so that's _got_ to be involved. and... that bit of data took a lot of computation to produce, so it's probably _also_ involved... and md4 no, md5? no, how about hmac_md5 yes let's try that one (the other's didn't work) oh goodie, it worked! i love it when this sort of thing happens. took all of fifteen minutes to guess it. tried concatenating client and server challenges. tried concatenating _random_ bits of client and server challenges. tried md5 of the above. tried hmac_md5 of the above. eventually, it boils down to this: kr = MD4(NT#,username,domainname) hmacntchal=hmac_md5(kr, nt server challenge) sess_key = hmac_md5(kr, hmacntchal); (This used to be commit ab174759cd210fe1be888d0c589a5b2669f7ff1e)
1999-06-29improving authentication code (tidyup).Luke Leighton1-8/+19
(This used to be commit ab1a6aa42db5217f025941fb5107436556bc23b7)
1999-01-25Putting back the -p flag in smbclient.Richard Sharpe1-0/+1
However, it seems that the -s flag in smbclient is also ignored :-( (This used to be commit f6c78192664d611d4663ed7459a2789315861eec)
1998-12-07removed nt_pipe_fnum from struct cli_state. need to be able to callLuke Leighton1-1/+0
LsaLookupSids etc from within SamrQueryAliasMembers, for example. fnum is now a parameter to client functions. thanks to mike black for starting the ball rolling. (This used to be commit bee8f7fa6b0f7f995f71303f4e14a4aaed0c2437)
1998-11-12.cvsignore: Removed old entries.Herb Lewis1-0/+9
client/client.c: include/client.h: Added some debug messages that the old client used to generate. These are needed to make scripts such as 'findsmb' work - there may be other changes to keep backwards output compatibility. Do we need a -old-client-compat argument ? libsmb/clientgen.c: Fixed crash bug where malloc'ed data wasn't being cleared - corrupted malloc chains. web/swat.c: John's changes to get rid of "ghost" table entries. (This used to be commit 3c45a3503ea57d17e98eb3e57514161a5c82e45e)
1998-11-09Makefile.in: Removed rpc_server/srv_ldap_helpers.c per J.F.'s instructions.Jeremy Allison1-1/+1
client/client.c: client/clitar.c: include/client.h: smbwrapper/smbw_dir.c: smbwrapper/smbw_stat.c: smbwrapper/smbw.c: lib/util.c: Converted all use of 'mode' to uint16. smbd/quotas.c: Fixed stupid comment bug I put in there :-(. printing/printing.c: Fix from J.F. to new code. Jeremy. (This used to be commit bacd3e9d2036a804e73644a28fc498f229c8446c)
1998-10-24volker was concerned about unique inode numbers and smbsh. This set ofAndrew Tridgell1-9/+9
changes uses the unique index number from a SMB_QUERY_FILE_ALL_INFO to try to provide inode numbers. If it is 0 then use the hash of the filename as before. (This used to be commit 2565ccf9de9d5e80fdb5bcadbc7130faba386d95)
1998-10-15bug-fixing against:Luke Leighton1-0/+2
AS/U: it returns dce/rpc "first" and "last" bits _clear_ in a bind/ack response, when they should be set in a (small) packet. they also, in the bind/ack do not set a secondary address string at all, so we can't check against that... Win95: client-side dce/rpc code is a bit odd. it does a "WaitNamedPipeState" and has slightly different pipe-naming (\PIPE\LANMAN is joined by \PIPE\SRVSVC, \PIPE\WINREG etc whereas nt just has \PIPE\LANMAN and \PIPE\). Win95-USRMGR.EXE: added LsaOpenPolicy (renamed existing to LsaOpenPolicy2). added SamrConnect (renamed existing to SamrConnect2). (This used to be commit a7fccd807b938cbb51002ebae8c7a48b40dbb655)
1998-10-14dce/rpcLuke Leighton1-0/+1
(This used to be commit 69f5f9f88935de1f63ffc9aa19c0629b395e66e6)